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Reporting, mandatory certification and 
main establishment in final NIS2 
trilogues 


ONS 4 Introduction 


As trilogue negotiations for a reformed EU framework for the security of network 
and information systems (NIS2) are coming to an end, DIGITALEUROPE would 
like to take the opportunity to reiterate the digital industry's fundamental concerns 
around the direction of the discussions on reporting obligations, mandatory 
certification and main establishment. 


Below, we suggest a few key amendments to the current proposals, along with 
their underlying justifications. We hope that despite the relative advanced status 
of the legislative process, our comments and suggested amendments can be 
taken into consideration given the importance of these topics. 


O N=" 4 Reporting obligations 


Entities’ resources should focus on mitigating incidents in the crucial phases of 
their emergence. The European Commission’s proposal, which requires all incident 
notifications within 24 hours, will force entities to divert excessive resources away 
from mitigation towards legal compliance. This is especially true for SMEs that may 
fall into scope. 


Alignment with the personal data breach notification regime in the General Data 
Protection Regulation (GDPR),' which sets a 72-hour deadline would have been the 
best way forward to ensure consistency. Absent this ideal timeline, the final text 
should converge around the Parliament's position, which specifies that the initial 24- 
hour notification should be reserved for incidents that significantly disrupt service 
availability, with other incidents having to be notified within 72 hours instead. 





Proposed changes to Art. 20(4a): 
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(a) without undue delay and in-_any event within 24 heurs_aferhaving become aware 
an initial notification of the significant incident, eftheincident_aniniial notification, 
unlawiul er malicieus-action: shall contain information available to the notifying entity 
on a best-effort basis as follows: 











(i) with regard to incidents that significantly disrupt the availability of the services 
provided by the entity, the CSIRT shall be notified without undue delay and in any 
event within 24 hours of becoming aware of the incident; 


(ii) with regard to incidents that have a significant impact on the entity other than on 
the availability of the services provided by that entity, the CSIRT shall be notified 
without undue delay and in any event within 72 hours of becoming aware of the 
incident; 


(iii) with regard to incidents that have a significant impact on the services of a trust 
services provider as defined in Article 3, point (19) of Regulation (EU) No 910/2014 
or on the personal data maintained by that trust service provider, the CSIRT shall be 
notified without undue delay and in any event within 24 hours of becoming aware of 
the incident. 











O N=" 4 Mandatory certification 


DIGITALEUROPE is concerned that with Arts 21(2)-(3), the European 
Commission is trying to bypass the compromise achieved on mandatory 
certification under Art. 56(3) of the Cybersecurity Act.? This article was one of the 
key issues debated during the Cybersecurity Act trilogues, and therefore the 
balance achieved there should not be so easily ignored. 


The Cybersecurity Act requires the Commission to carry out a thorough 
assessment of existing schemes before they can be made mandatory. By 
contrast, under Art. 21(2) the Commission can decide to trigger mandatory 
schemes without any such assessment. Under Art. 21(3) the Commission, 
having already decided for mandatory certification without the Cybersecurity Act 
assessment, can subsequently request ENISA to develop a scheme if no 
scheme exists. 


DIGITALEUROPE urges co-legislators to ensure that certification schemes are 
only made mandatory after careful assessment at European level by the 
European Commission following the process established under the 
Cybersecurity Act. 


2 Regulation (EU) 2019/881. 
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To achieve this, a complete reference should be made under Art. 21(2) to the 
assessment procedure set out under the Cybersecurity Act’s Art. 56(3). There 
is no need to repeat the elements of the assessment as they are included by 
virtue of the reference to another EU legal act. 


Additionally, Art. 21(3) should be deleted as it should not be possible for the 
Commission to request the development of a new scheme purely for the purpose 
of making it mandatory. The Commission and Member States already have 
ample flexibility to request the creation of new schemes under Art. 48(2) of the 
Cybersecurity Act. 


The Council text acknowledges the existence of the Cybersecurity Act 
requirements but — because of the generic way it is drafted, and because it omits 
elements of Art. 56(3) that are more directly linked to the assessment of schemes 
themselves — it might still be read as authorising the Commission to first decide 
for mandatory and then ask ENISA to develop the relevant scheme. 





Proposed changes to Art. 21(2): 


The Commission shall be empowered to adopt delegated acts, in accordance 
with Article 36, specifying which categories of essential or important entities shall 
be required to use certain ICT products, services or processes covered by an 
existing European cybersecurity certification scheme adopted pursuant to Article 
49 of Regulation (EU) 2019/881, or obtain a certificate aad under whieh-speeitie 
Eurepean-cybersecurty an existing European cybersecurity certification schemes 
adopted pursuant to Article 49 of Regulation (EU) 2019/88 1 paragraph. The 
adoption of such delegated acts shall be adepted preceded by an assessment of 
the efficiency and use of adopted European cybersecurity certification schemes 
in accordance with Article 356 of Regulation (EU) 2019/881. 


Proposed changes to Art. 21(3): 


Delete 











ONS 4 Main establishment 


We call upon co-legislators to provide a clear main establishment criterion under 
Art. 24 of the final NIS2. The original proposal as well as the Council have played 
with the GDPR definition of ‘main establishment,’ focusing on ‘the place where 
the decisions related to the cybersecurity risk management measures are taken 
in the Union.’ The current criterion centred around where risk management 
decisions are taken — let alone ‘predominantly taken,’ as in the Council version — 
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will make it too unclear for companies to know what authorities they will be 
supervised by. 


The focus on ‘decisions’ ignores that the GDPR (Art. 4(16)) assumes the main 
establishment to be the ‘place of central administration in the Union,’ which can 
only be superseded in cases where ‘decisions on the purposes and means of the 
processing’ are taken elsewhere. This has caused a level of uncertainty around 
enforcement in the GDPR and is unnecessary for NIS2, where ultimately the EU 
headquarters will naturally be the entity that must comply. This also reflects the 
objective stance in the current NIS (Art. 18(1)),°? where the focus is on the ‘head 
office.’ 


DIGITALEUROPE’s proposed solution to this is to either adopt the definition of 
‘place of central administration in the Union’ or revert back to ‘head office’ 
as in the current NIS. 


Finally, we urge co-legislators to include number-independent interpersonal 
communications services (NI-ICS) to the entities subject to main establishment 
under Art. 24.4 NI-ICS are inherently cross-border in nature and their inclusion 
would fulfil the proposal’s objective ‘to ensure that such entities do not face a 
multitude of different legal requirements, as they provide services across borders 
to a particularly high extent.’ 








Proposed changes to Art. 24(2): 


For the purposes of this Directive, entities referred to in paragraph 1 shall be 
deemed to have their main establishment in the Union in the place of their central 
administration in the Union. the-Member State-where_the decisions-_related_tothe 
eybersecurity isk management measures_are_taken_tt such decisions-_are-not 
takentn-_any establishment inthe Union, the-mainestablishment shall be deemed 




















Proposed changes to Recital 64: 


In order to take account of the cross-border nature of the services and operations 
of DNS service providers, TLD name registries, entities providing domain name 
registration services for the TLD, content delivery network providers, cloud 
computing service providers, data centre service providers, number-independent 
interpersonal communications services and digital providers, only one Member 
State should have jurisdiction over these entities. Jurisdiction should be 


3 Directive (EU) 2016/1148. 
4 As defined in Art. 2(7), Directive (EU) 2018/1972. 


5P, 11 of the explanatory memorandum. 
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attributed to the Member State in which the respective entity has its main 


establishment in the Union. +he-crterten-efestablishmentterthe-purpeses-oHthis 
Pirecthveimplies_tieetect-e-exereseohLacia irene stable arrangements. 














systems-_are_physicalocated_in-a given_place;the_presence_and use-of such 
systemsde-eiistbeniseves-_constiniie suehinan establish Renan are 
hercterc-seldecsve-cutere_lo- eateraing thea esteablisheeat The main 
establishment should be #he-place wherethe-decisicns relatedtethe 


Sy bersecnHh is age nes Laessivesare_ tien tthe ies as ad 
typically-correspoena_te-_the place of the companies’ central administration in the 
Union. 4£sueh-decisions-are-neHtakenintheUnion_the-main-establishment 


should be-deemed_tobeinthe Member States_where the entity hasan 
establishmentwith_the_highest numberotemployees_ inthe Union—Where the 
services are carried out by a group of undertakings, the main establishment of 
the controlling undertaking should be considered to be the main establishment of 
the group of undertakings. 




















FOR MORE INFORMATION, PLEASE CONTACT: 
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Manager for Infrastructure and Security Policy 
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About DIGITALEUROPE 


PEST i Ni hc kis hd kc lg pu a cg E i 
DIGITALEUROPE represents the digital technology industry in Europe. Our members include l 
some of the world’s largest IT, telecoms and consumer electronics companies and national l 
associations from every part of Europe. DIGITALEUROPE wants European businesses and l 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the l 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in l 
the development and implementation of EU policies. 


DIGITALEUROPE Membership 


Corporate Members 


Accenture, Airbus, Amazon, AMD, Apple, Arçelik, Assent, Atos, Autodesk, Bayer, Bidao, Bosch, Bose, 
Bristol-Myers Squibb, Brother, Canon, Cisco, DATEV, Dell, Eli Lilly and Company, Epson, Ericsson, ESET, 
EY, Facebook, Fujitsu, GlaxoSmithKline, Global Knowledge, Google, Graphcore, Hewlett Packard 
Enterprise, Hitachi, HP Inc., HSBC, Huawei, Intel, Johnson & Johnson, Johnson Controls International, JVC 
Kenwood Group, Konica Minolta, Kyocera, Lenovo, Lexmark, LG Electronics, Mastercard, Microsoft, 
Mitsubishi Electric Europe, Motorola Solutions, MSD Europe Inc., NEC, Nemetschek, NetApp, Nokia, Nvidia 
Ltd., Oki, OPPO, Oracle, Palo Alto Networks, Panasonic Europe, Philips, Pioneer, Qualcomm, Red Hat, 
ResMed, Ricoh, Roche, Rockwell Automation, Samsung, SAP, SAS, Schneider Electric, Sharp Electronics, 
Siemens, Siemens Healthineers, Sky CP, Sony, Sopra Steria, Swatch Group, Technicolor, Texas 
Instruments, TikTok, Toshiba, TP Vision, UnitedHealth Group, Visa, Vivo, VMware, Waymo, Workday, 
Xerox, Xiaomi, Zoom. 


National Trade Associations 


Austria: IOÖ Greece: SEPE Romania: ANIS 

Belgium: AGORIA Hungary: IVSZ Slovakia: ITAS 

Croatia: Croatian Ireland: Technology Ireland Slovenia: ICT Association of 
Chamber of Economy Italy: Anitec-Assinform Slovenia at CCIS 

Cyprus: CITEA Lithuania: Infobalt Spain: AMETIC 

Denmark: DI Digital, IT Luxembourg: APSI Sweden: TechSverige, 
BRANCHEN, Dansk Erhverv Moldova: ATIC Teknikféretagen 

Estonia: ITL Netherlands: NLdigital, FIAR Switzerland: SWICO 
Finland: TIF Norway: Abelia Turkey: Digital Turkey Platform, 
France: AFNUM, SECIMAVI, Poland: KIGEIT, PIIT, ZIPSEE ECID 

numeum Portugal: AGEFE United Kingdom: techUK 


Germany: bitkom, ZVEI 


